Security Digest 2.02

Table of Contents

The Month In Review

February was a good month for security software releases. The long-awaited L0phtcrack 2.0 NT password cracker was released this month. The main enhancement of this new version is the ability to retrieve password hashes by simply sniffing the attached network. Also, the latest version of MIT’s kerberos package - 1.0.5 - was made available, containing a number of bug-fixes over the 1.0.4 version.

Denial of Service attacks contined to be popular this month. CERT’s summary indicated the continued exploitation of the statd DoS attack. IBM and HP also issued DoS advisories, albeit for entirely separate vulnerabilities.

If you make use of a package called Wingate, and you haven’t taken specific steps to secure the default installation, you may be assisting a number of undesirable activities. Due to Wingate’s poor logging capability, and its highly insecure default configuration, your installation may be routing SPAM, posting porn, or contributing in Denial of Service (or worse) attacks.

Finally, a very interesting end to the month: the US Defense Department revealed that several of its non-classified systems had been successfully penetrated by attackers via the Internet. If nothing else, this issue should get a lot of coverage in the media (and perhaps even a made-for-TV movie ;-). Stay tuned for more.

Enjoy the digest!

Security News

98/02/03 - Slackware imap3d/ipop3d problem

Recent reports have indicated that the imapd/ipop3d programs that ship with Linux Slackware 3.3 and 3.4 are can be made to dump core when passed invalid usernames. Under certain circumstances, this behavior could be exploited to gain access to shadow password files. Affected users should upgrade to a fixed version.

98/02/05 - War ftpd Buffer Overflow

A buffer overflow has been found in the popular War FTP daemon for Windows 85/NT. By passing the daemon a carefully formed Username or Password, an FTP server can be caused to crash, or possibly execute malicious code. This overflow is present in Version 1.65, and possibly others. Affected users should consider disabling the daemon (or use different software) until a patch is available.

98-02-07 - NT Port Binding Problem

The L0pht released an advisory yesterday indicating a problem in the Windows NT operating system. It appears that NT allows any logged-on user to bind to any TCP/IP port, even if this port is already being used by the Operating System. Clearly, using this method, a logged-in user may bypass any IP packet filtering that is occurring on the machine, and even redirect these ports to an entirely different machine. Denial of Service, and possible password stealing could be accomplished in this manner. For full details, see the L0pht Advisory.

98/02/08 - CERT Advisory CA-98.04 Released

CERT has released Advisory CA-98.04 today. This advisory describes a problem with Windows NT-based WWW servers that may allow unauthorized access to webserver-protected files. See the advisory for details.

98/02/10 - Solaris volrmmount patches available

SUN Microsystems has released patches for the volrmmount problem under Solaris 2.6. Affected users should apply the patches immediately. See Sun Security Bulletin #00162 for file locations.

98/02/11 - AIX Telnet DoS Advisory Released

IBM released an advisory addressing the Telnet Denial of Service vulnerability against AIX versions 4.1.x - 4.3. For more information, the IBM advisory, or CIAC advisory I-029.

98/02/12 - Wingate Abuses

There have been several recent reports of abuse of the Wingate IP Masquerading/Proxying package. This package, commonly used to proxy multiple users through a single Internet-connected Windows machine, is highly insecure in its default configuration. Abuse is widespread and varied, including:

For advice on securing Wingate, see http://www.deerfield.com/wingate/secure-wingate.htm.

98/02/13 - L0phtcrack 2.0 Released

The latest version of the l0phtcrack NT password cracker was released yesterday, and is now available via the Codetalker Downloads page. In addition to brute-force and dictionary attack options, l0phtcrack now supports network sniffing to retrieve NT password hashes. In this mode, any user connected to an NT network can collect encrypted NT username/password pairs for import into l0phtcrack. See http://www.l0pht.com/l0phtcrack/ for more information.

98/02/14 - Cert Summary CS-98.01 Issued

CERT issued a summary today highlighting attacks against statd, imapd, and NFS. For more information see CS-98.01.

98/02/16 - Windows NT Logon DoS

Secure Networks Inc. has released an advisory detailing possible Denial of Service (DoS) attacks against Windows NT Servers. This attack, which causes a blue screen crash on the target machine, is caused by an incorrectly sized SMB logon packet.

Microsoft has issued a patch for this problem. It is available from their ftp site. See Knowledge Base article Q180963 or SNI Advisory SNI-25 for more information.

98/02/18 - Kerberos 1.0.5 Released

The latest version of MIT’s popular Kerberos network security package was released today. This release, 1.0.5, contains numerous bug fixes to the 1.0.4 code. For more information, see the Kerberos Web Site

98/02/21 - OpenBSD Advisories

Two OpenBSD advisories have been released recently which deal with problem in the OpenBSD, and other 4.4BSD-derived operating systems. The first report indicates problems with the dosourceroute flag, where source routed packets are not rejected even when the system is configured to do so. The second advisory deals with a problem in the mmap() system call. Through careful manipulation of certain processes, a clever attacker may be able to obtain root access. See the OpenBSD project page for more information.

98/02/23 - Network Associates buys TIS

In a $300 million deal today, Network Associates (formerly McAfee Associates) purchased Trusted Information Systems (TIS), makers of the popular Gauntlet firewall suite. This latest expansion marks the third major expansion of the former virus software manufaturer, who merged with Network General last fall, and purchased Pretty Good Privacy (PGP) in December.

98/02/24 - AOL Instant Messenger Bug

A serious buffer overflow has been identified in AOL’s Instant Messenger Software. This overflow makes it possible for malicious users to send arbitrary code to machines running the IM Software. If you are currently using the IM software, we highly recommend you disable it until a patch has been developed and applied.

98/02/25 - US Military Systems Penetrated

The US Defense Department announced today that for the past two weeks, they have been experiencing a "heavy duty cyberattack." This attack included the successful penetration of several unclassified networks, and attempts to create back doors to facilitate re-entry. Classified systems were apparently not penetrated.

Latest Advisories

General

CIAC

SNI

Misc

Vendor Specific

HP

IBM

Sun

About the Digest

Codetalker Digest was a monthly summary of security related news, information, and advisories collected throughout the month by Codetalker Communications, Inc.

About Codetalker

Codetalker Communications, Inc. was the creation of Calgary-based systems professionals Kjell Wooding, Evan Spence, Steve McQuade, Chris Grant, and Mat Hepton. It was born out of the need for a security focused consulting and development company in Western Canada.

Codetalker took its name from the Navajo codetalkers, Navajo radiomen employed by the US Marine Corps during World War II. Because they spoke a rather cryptic and slangy version of the Navajo language—one that was difficult for even uninitiated Navajos to understand—codetalker communications were essentially impossible for the Enemy to decode.

Codetalker Communications, Inc. was primarily focused in the areas of system and network security, including Internet and Intranet-related issues.

Disclaimer

By its very nature, security-related information can often be hard to come by. Many vendors (and users) do not subscribe to an open policy when it comes to releasing security information. This is unfortunate, as the policy of “security through obscurity” has repeatedly proven itself as a dangerous and highly fallible posture. The information contained in this digest came from a variety of publicly accessible sources. Wherever possible, Codetalker Communications, Inc. tried to deliver the most accurate information posssible, however, it cannot be held responsible for errors or ommissions contained herein. If you are aware of any errors in this digest, please contact Kjell Wooding .

Redistribution

Codetalker Digest is copyright © 1997-99, Codetalker Communications, Inc. It may be freely redistributed provided that this copyright notice remains intact, and no fee is charged for its distribution.

pintday.org » Fresh every Tuesday.